packages: libwmf/libwmf.spec, libwmf/libwmf-0.2.8.4-CAN-2004-0941.patch (NE...
draenog
draenog at pld-linux.org
Thu Jan 6 19:52:40 CET 2011
Author: draenog Date: Thu Jan 6 18:52:40 2011 GMT
Module: packages Tag: HEAD
---- Log message:
- patch internal version of gd (taken from Fedora)
- rel. 14
---- Files affected:
packages/libwmf:
libwmf.spec (1.98 -> 1.99) , libwmf-0.2.8.4-CAN-2004-0941.patch (NONE -> 1.1) (NEW), libwmf-0.2.8.4-CVE-2007-0455.patch (NONE -> 1.1) (NEW), libwmf-0.2.8.4-CVE-2007-2756.patch (NONE -> 1.1) (NEW), libwmf-0.2.8.4-CVE-2007-3472.patch (NONE -> 1.1) (NEW), libwmf-0.2.8.4-CVE-2007-3473.patch (NONE -> 1.1) (NEW), libwmf-0.2.8.4-CVE-2007-3477.patch (NONE -> 1.1) (NEW), libwmf-0.2.8.4-CVE-2009-3546.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: packages/libwmf/libwmf.spec
diff -u packages/libwmf/libwmf.spec:1.98 packages/libwmf/libwmf.spec:1.99
--- packages/libwmf/libwmf.spec:1.98 Mon Nov 1 21:20:07 2010
+++ packages/libwmf/libwmf.spec Thu Jan 6 19:52:34 2011
@@ -8,7 +8,7 @@
Summary(pl.UTF-8): libwmf - biblioteka z funkcjami do konwersji plików WMF
Name: libwmf
Version: 0.2.8.4
-Release: 13
+Release: 14
Epoch: 2
License: LGPL v2+
Group: Applications/Text
@@ -19,6 +19,13 @@
Patch2: %{name}-segv.patch
Patch3: %{name}-png12.patch
Patch4: %{name}-0.2.8.4-useafterfree.patch
+Patch5: %{name}-0.2.8.4-CVE-2007-0455.patch
+Patch6: %{name}-0.2.8.4-CVE-2007-3472.patch
+Patch7: %{name}-0.2.8.4-CVE-2007-3473.patch
+Patch8: %{name}-0.2.8.4-CVE-2007-3477.patch
+Patch9: %{name}-0.2.8.4-CVE-2007-2756.patch
+Patch10: %{name}-0.2.8.4-CAN-2004-0941.patch
+Patch11: %{name}-0.2.8.4-CVE-2009-3546.patch
URL: http://wvware.sourceforge.net/
BuildRequires: autoconf >= 2.59-9
BuildRequires: automake
@@ -107,6 +114,13 @@
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
%build
rm configure.in
@@ -194,6 +208,10 @@
All persons listed below can be reached at <cvs_login>@pld-linux.org
$Log$
+Revision 1.99 2011/01/06 18:52:34 draenog
+- patch internal version of gd (taken from Fedora)
+- rel. 14
+
Revision 1.98 2010/11/01 20:20:07 arekm
- release 13
================================================================
Index: packages/libwmf/libwmf-0.2.8.4-CAN-2004-0941.patch
diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CAN-2004-0941.patch:1.1
--- /dev/null Thu Jan 6 19:52:40 2011
+++ packages/libwmf/libwmf-0.2.8.4-CAN-2004-0941.patch Thu Jan 6 19:52:34 2011
@@ -0,0 +1,17 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:02:37.407589824 -0500
++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:04:29.672522960 -0500
+@@ -188,6 +188,14 @@
+
+ png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ &interlace_type, NULL, NULL);
++ if (overflow2(sizeof (int), width))
++ {
++ return NULL;
++ }
++ if (overflow2(sizeof (int) * width, height))
++ {
++ return NULL;
++ }
+ if ((color_type == PNG_COLOR_TYPE_RGB) ||
+ (color_type == PNG_COLOR_TYPE_RGB_ALPHA))
+ {
================================================================
Index: packages/libwmf/libwmf-0.2.8.4-CVE-2007-0455.patch
diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CVE-2007-0455.patch:1.1
--- /dev/null Thu Jan 6 19:52:40 2011
+++ packages/libwmf/libwmf-0.2.8.4-CVE-2007-0455.patch Thu Jan 6 19:52:34 2011
@@ -0,0 +1,11 @@
+--- libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:18:26.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:21:09.000000000 +0000
+@@ -811,7 +811,7 @@
+ {
+ ch = c & 0xFF; /* don't extend sign */
+ }
+- next++;
++ if (*next) next++;
+ }
+ else
+ {
================================================================
Index: packages/libwmf/libwmf-0.2.8.4-CVE-2007-2756.patch
diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CVE-2007-2756.patch:1.1
--- /dev/null Thu Jan 6 19:52:40 2011
+++ packages/libwmf/libwmf-0.2.8.4-CVE-2007-2756.patch Thu Jan 6 19:52:34 2011
@@ -0,0 +1,16 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 1 Apr 2007 20:41:01 -0000 1.21.2.1
++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 16 May 2007 19:06:11 -0000
+@@ -78,8 +78,11 @@
+ gdPngReadData (png_structp png_ptr,
+ png_bytep data, png_size_t length)
+ {
+- gdGetBuf (data, length, (gdIOCtx *)
+- png_get_io_ptr (png_ptr));
++ int check;
++ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
++ if (check != length) {
++ png_error(png_ptr, "Read Error: truncated data");
++ }
+ }
+
+ static void
================================================================
Index: packages/libwmf/libwmf-0.2.8.4-CVE-2007-3472.patch
diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CVE-2007-3472.patch:1.1
--- /dev/null Thu Jan 6 19:52:40 2011
+++ packages/libwmf/libwmf-0.2.8.4-CVE-2007-3472.patch Thu Jan 6 19:52:34 2011
@@ -0,0 +1,59 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -106,6 +106,18 @@
+ gdImagePtr im;
+ unsigned long cpa_size;
+
++ if (overflow2(sx, sy)) {
++ return NULL;
++ }
++
++ if (overflow2(sizeof (int *), sy)) {
++ return NULL;
++ }
++
++ if (overflow2(sizeof(int), sx)) {
++ return NULL;
++ }
++
+ im = (gdImage *) gdMalloc (sizeof (gdImage));
+ if (im == 0) return 0;
+ memset (im, 0, sizeof (gdImage));
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000
+@@ -2,6 +2,7 @@
+ #include "gdhelpers.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ /* TBB: gd_strtok_r is not portable; provide an implementation */
+
+@@ -94,3 +95,18 @@
+ {
+ free (ptr);
+ }
++
++int overflow2(int a, int b)
++{
++ if(a < 0 || b < 0) {
++ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
++ return 1;
++ }
++ if(b == 0)
++ return 0;
++ if(a > INT_MAX / b) {
++ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
++ return 1;
++ }
++ return 0;
++}
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000
+@@ -15,4 +15,6 @@
+ void *gdMalloc(size_t size);
+ void *gdRealloc(void *ptr, size_t size);
+
++int overflow2(int a, int b);
++
+ #endif /* GDHELPERS_H */
================================================================
Index: packages/libwmf/libwmf-0.2.8.4-CVE-2007-3473.patch
diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CVE-2007-3473.patch:1.1
--- /dev/null Thu Jan 6 19:52:40 2011
+++ packages/libwmf/libwmf-0.2.8.4-CVE-2007-3473.patch Thu Jan 6 19:52:34 2011
@@ -0,0 +1,13 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd)
+ }
+ bytes = (w * h / 8) + 1;
+ im = gdImageCreate (w, h);
++ if (!im) {
++ return 0;
++ }
++
+ gdImageColorAllocate (im, 255, 255, 255);
+ gdImageColorAllocate (im, 0, 0, 0);
+ x = 0;
================================================================
Index: packages/libwmf/libwmf-0.2.8.4-CVE-2007-3477.patch
diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CVE-2007-3477.patch:1.1
--- /dev/null Thu Jan 6 19:52:40 2011
+++ packages/libwmf/libwmf-0.2.8.4-CVE-2007-3477.patch Thu Jan 6 19:52:34 2011
@@ -0,0 +1,38 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -1335,10 +1335,31 @@
+ int w2, h2;
+ w2 = w / 2;
+ h2 = h / 2;
+- while (e < s)
+- {
+- e += 360;
+- }
++
++ if ((s % 360) == (e % 360)) {
++ s = 0; e = 360;
++ } else {
++ if (s > 360) {
++ s = s % 360;
++ }
++
++ if (e > 360) {
++ e = e % 360;
++ }
++
++ while (s < 0) {
++ s += 360;
++ }
++
++ while (e < s) {
++ e += 360;
++ }
++
++ if (s == e) {
++ s = 0; e = 360;
++ }
++ }
++
+ for (i = s; (i <= e); i++)
+ {
+ int x, y;
================================================================
Index: packages/libwmf/libwmf-0.2.8.4-CVE-2009-3546.patch
diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CVE-2009-3546.patch:1.1
--- /dev/null Thu Jan 6 19:52:40 2011
+++ packages/libwmf/libwmf-0.2.8.4-CVE-2009-3546.patch Thu Jan 6 19:52:34 2011
@@ -0,0 +1,13 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:56:06.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:57:04.000000000 +0000
+@@ -42,6 +42,10 @@
+ {
+ goto fail1;
+ }
++ if (&im->colorsTotal > gdMaxColors)
++ {
++ goto fail1;
++ }
+ }
+ /* Int to accommodate truecolor single-color transparency */
+ if (!gdGetInt (&im->transparent, in))
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/libwmf/libwmf.spec?r1=1.98&r2=1.99&f=u
More information about the pld-cvs-commit
mailing list